W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Redirect and Origin

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 9 Jun 2009 16:05:31 -0700
Message-ID: <7789133a0906091605r3bf5a855q33199e10f972eaa2@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: Tyler Close <tyler.close@gmail.com>, public-webapps <public-webapps@w3.org>
On Tue, Jun 9, 2009 at 3:40 PM, Jonas Sicking<jonas@sicking.cc> wrote:
> I'm in general not a big fan of the redirect model in CORS, but this
> one especially seems like a problem. One solution would be to include
> the full redirect chain (or change the Origin to 'null') if
> redirecting across servers with a non-safe HTTP method.

Either of these are fine with me.  I'll update the
Origin-for-CSRF-defense draft to match whatever CORS would like to do
here.

Adam
Received on Tuesday, 9 June 2009 23:06:36 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT